Are security researchers exposed to potential criminal charges?

Security research is sometimes a thankless task. Take the well-known example of Michael Lynn, the ISS employee who let the cat out of the bag about a vulnerability in Cisco routers, then got into a whole bucket of trouble.

But the ultimate in thanklessness is going to prison. That fate might very well be in the cards for Eric McCarty:

On April 28, 2006, Eric McCarty was arraigned in U.S. District Court in Los Angeles. McCarty is a professional computer security consultant who noticed that there was a problem with the way the University of Southern California had constructed its web page for online applications. A database programming error allowed outsiders to obtain applicants' personal information, including Social Security numbers.

It’s a bit distressing that legitimately reporting a security bug could land someone in prison. There should be some kind of “good Samaritan” exclusion.

Link here, with a hat tip to Ferg.